I don't see why this is an issue for you. & is the right representation, the browser takes care of rendering that as a quote. You need to see what you are doing with the incoming data before displaying it. Also, have a look at html_escape() / h() helper function and sanitize data before database insertion. You shouldn't be storing a & into the database text field.